Add Field
The Add Field rule attaches a new key-value field to logs, optionally conditioned on a regex match. Use it to enrich logs with context that the application doesn't include natively.
When to Use
- You want to tag logs with team ownership, environment labels, or service tiers.
- Logs from a workload are missing a field you need for filtering or routing.
- You want to flag logs matching certain patterns (e.g., add
alert=trueto error logs). - You need to add routing metadata for downstream consumers or alert rules.
Fields
| Field | Required | Description |
|---|---|---|
| Name | Yes | Rule identifier |
| Source Field | No | The field to evaluate for the condition. If empty, the entire log body is used |
| Regular Expression | No | Optional condition — only logs matching this pattern get the new field. Leave empty to add the field to all matching logs |
| New Field | Yes | The name of the field to add |
| Value | Yes | The value to assign to the new field |
How It Works
- If a Regular Expression is provided, the rule checks the source field (or full log body) for a match.
- If the regex matches (or if no regex is provided), the new field is added to the log with the specified value.
- If the regex doesn't match, the log passes through without the new field.
Examples
Tag Logs by Team
- Source Field: (empty — match entire log body)
- Regular Expression:
payment|checkout|billing|stripe - New Field:
team - Value:
payments-team
Result: All logs mentioning payment-related terms are tagged with team=payments-team, making it easy to filter by team ownership.
Add Environment Label
- Regular Expression: (empty — apply to all logs)
- New Field:
environment - Value:
production
Result: All logs from the matched workloads get environment=production. Useful when combined with a Rule Matcher targeting a specific namespace like prod/*.
Flag Error Logs for Alerting
- Source Field:
severity - Regular Expression:
ERROR|CRITICAL|FATAL - New Field:
requires_attention - Value:
true
Result: Error-level logs are tagged with requires_attention=true, which can be used to trigger alert rules or filter dashboards.
Add Service Tier
- Regular Expression: (empty)
- New Field:
tier - Value:
tier-1
Combined with a Rule Matcher like prod/api-gateway/*, this tags all API gateway logs as tier-1 for prioritized monitoring.
Tips
- When no regex is specified, the field is added to every log matching the pipeline's Rule Matcher. Use this for blanket enrichment like environment or team tags.
- The added field is fully indexed and can be used in searches, filters, dashboards, and alert conditions.
- You can add multiple Add Field rules in the same pipeline to attach several metadata fields at once.